General
-
Target
malware.exe
-
Size
11MB
-
Sample
211020-sagcpshbf9
-
MD5
5544ca0d55ecf9e4f1a738f01bcebe84
-
SHA1
54cf5562fd1e992baff6060f5262cecf5449fe1c
-
SHA256
37aa2beb667b66b5b548722f4a5b7c72d01b191c538e4ad1acb9467cbc5d8727
-
SHA512
676bd327e881bfea4134e60c97cf67fb500dc261d2e3515762ed098e9e56eb558fbec159a1af593aafcdb53f4892e33a5a28fe895be89a9f90c340cde68ba71f
Static task
static1
Behavioral task
behavioral1
Sample
malware.exe
Resource
win11
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
smokeloader
2020
http://gejajoo7.top/
http://sysaheu9.top/
Extracted
redline
media18
91.121.67.60:2151
Extracted
vidar
41.5
937
https://mas.to/@xeroxxx
-
profile_id
937
Extracted
redline
fucker2
135.181.129.119:4805
Extracted
raccoon
2f2ad1a1aa093c5a9d17040c8efd5650a99640b5
-
url4cnc
http://telegatt.top/oh12manymarty
http://telegka.top/oh12manymarty
http://telegin.top/oh12manymarty
https://t.me/oh12manymarty
Extracted
vidar
41.5
1028
https://mas.to/@xeroxxx
-
profile_id
1028
Extracted
raccoon
7c9b4504a63ed23664e38808e65948379b790395
-
url4cnc
http://telegka.top/capibar
http://telegin.top/capibar
https://t.me/capibar
Targets
-
-
Target
malware.exe
-
Size
11MB
-
MD5
5544ca0d55ecf9e4f1a738f01bcebe84
-
SHA1
54cf5562fd1e992baff6060f5262cecf5449fe1c
-
SHA256
37aa2beb667b66b5b548722f4a5b7c72d01b191c538e4ad1acb9467cbc5d8727
-
SHA512
676bd327e881bfea4134e60c97cf67fb500dc261d2e3515762ed098e9e56eb558fbec159a1af593aafcdb53f4892e33a5a28fe895be89a9f90c340cde68ba71f
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Possible privilege escalation attempt
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Data from Local System
2Command and Control
Credential Access
Credentials in Files
2Defense Evasion
Disabling Security Tools
1Web Service
1Modify Registry
5Install Root Certificate
1Hidden Files and Directories
2File Permissions Modification
1Virtualization/Sandbox Evasion
1Discovery
Query Registry
7Remote System Discovery
1System Information Discovery
7Peripheral Device Discovery
1Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Modify Existing Service
2Scheduled Task
1Registry Run Keys / Startup Folder
1Account Manipulation
1Privilege Escalation